From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Matt Helsley <matthltc@us.ibm.com>
Cc: Oren Laadan <orenl@cs.columbia.edu>,
Peter Chubb <peterc@gelato.unsw.edu.au>,
linux-api@vger.kernel.org, containers@lists.linux-foundation.org,
mingo@elte.hu, linux-kernel@vger.kernel.org,
Dave Hansen <dave@linux.vnet.ibm.com>,
linux-mm@kvack.org, viro@zeniv.linux.org.uk, hpa@zytor.com,
Andrew Morton <akpm@linux-foundation.org>,
torvalds@linux-foundation.org, tglx@linutronix.de
Subject: Re: [RFC v7][PATCH 2/9] General infrastructure for checkpoint restart
Date: Mon, 27 Oct 2008 16:20:36 -0500 [thread overview]
Message-ID: <20081027212036.GA32162@us.ibm.com> (raw)
In-Reply-To: <1225140705.5115.40.camel@enoch>
Quoting Matt Helsley (matthltc@us.ibm.com):
> On Mon, 2008-10-27 at 13:11 -0400, Oren Laadan wrote:
> > Dave Hansen wrote:
> > > On Mon, 2008-10-27 at 07:03 -0400, Oren Laadan wrote:
> > >>> In our implementation, we simply refused to checkpoint setid
> > >> programs.
> > >>
> > >> True. And this works very well for HPC applications.
> > >>
> > >> However, it doesn't work so well for server applications, for
> > >> instance.
> > >>
> > >> Also, you could use file system snapshotting to ensure that the file
> > >> system view does not change, and still face the same issue.
> > >>
> > >> So I'm perfectly ok with deferring this discussion to a later time :)
> > >
> > > Oren, is this a good place to stick a process_deny_checkpoint()? Both
> > > so we refuse to checkpoint, and document this as something that has to
> > > be addressed later?
> >
> > why refuse to checkpoint ?
>
> If most setuid programs hold privileged resources for extended periods
> of time after dropping privileges then it seems like a good idea to
> refuse to checkpoint. Restart of those programs would be quite
> unreliable unless/until we find a nice solution.
I agree with Dave and Matt. Let's assume that we have a setuid root
program which creates some resources then drops to username kooky. If
you now checkpoint and restart that program, then a stupid restart will
either
1. be done as user kooky and not be able to recreate the
resources, fail.
2. be done as user root and not drop uid back to kooky, unsafe.
For the earliest prototypes of c/r, I think saying that setuid an the
life of a container makes checkpoint impossible is the right thing to
do.
-serge
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2008-10-27 21:20 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-20 5:40 [RFC v7][PATCH 0/9] Kernel based checkpoint/restart Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 1/9] Create syscalls: sys_checkpoint, sys_restart Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 2/9] General infrastructure for checkpoint restart Oren Laadan
2008-10-21 19:41 ` Andrew Morton
2008-10-21 20:24 ` Serge E. Hallyn
2008-10-21 20:41 ` Andrew Morton
2008-10-22 1:33 ` Oren Laadan
2008-10-22 2:55 ` Daniel Jacobowitz
2008-10-22 3:02 ` Dave Hansen
2008-10-22 14:29 ` Daniel Jacobowitz
2008-10-22 15:28 ` Serge E. Hallyn
2008-10-22 16:02 ` Oren Laadan
2008-10-22 17:03 ` Serge E. Hallyn
2008-10-22 18:32 ` Oren Laadan
2008-10-27 8:27 ` Peter Chubb
2008-10-27 11:03 ` Oren Laadan
2008-10-27 16:42 ` Dave Hansen
2008-10-27 17:11 ` Oren Laadan
2008-10-27 20:51 ` Matt Helsley
2008-10-27 21:20 ` Serge E. Hallyn [this message]
2008-10-27 21:51 ` Oren Laadan
2008-10-27 22:09 ` Dave Hansen
2008-10-28 18:33 ` Serge E. Hallyn
2008-10-20 5:40 ` [RFC v7][PATCH 3/9] x86 support for checkpoint/restart Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 4/9] Dump memory address space Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 5/9] Restore " Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 6/9] Checkpoint/restart: initial documentation Oren Laadan
2008-10-28 16:48 ` Michael Kerrisk
2008-10-20 5:40 ` [RFC v7][PATCH 7/9] Infrastructure for shared objects Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 8/9] Dump open file descriptors Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 9/9] Restore open file descriprtors Oren Laadan
2008-10-21 19:21 ` [RFC v7][PATCH 0/9] Kernel based checkpoint/restart Andrew Morton
2008-10-21 20:41 ` Dave Hansen
2008-10-22 9:20 ` Ingo Molnar
2008-10-22 11:51 ` Daniel Lezcano
2008-10-22 11:55 ` Cedric Le Goater
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081027212036.GA32162@us.ibm.com \
--to=serue@us.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=containers@lists.linux-foundation.org \
--cc=dave@linux.vnet.ibm.com \
--cc=hpa@zytor.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=matthltc@us.ibm.com \
--cc=mingo@elte.hu \
--cc=orenl@cs.columbia.edu \
--cc=peterc@gelato.unsw.edu.au \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox